Installation
Gerion CLI orchestrates four security scanners (Gitleaks, OSV-Scanner, KICS, Opengrep) and sends normalized findings to the Gerion platform. Your code never leaves your infrastructure.
Option A — Docker (recommended)
The Docker image includes the CLI and all scanners pre-installed. No Python or additional dependencies required on the host.
docker pull ghcr.io/gerion-appsec/gerion-cli:latestFirst scan
# Full scan of the current directorydocker run --rm -v "$PWD:/code" \ ghcr.io/gerion-appsec/gerion-cli:latest \ scan-all /code
# With results sent to the Gerion APIdocker run --rm -v "$PWD:/code" \ -e GERION_API_URL="https://api.gerion.dev" \ -e GERION_API_KEY="your-api-key" \ ghcr.io/gerion-appsec/gerion-cli:latest \ scan-all /codeOption B — Local installation (development)
For contributing to the project or running the CLI without Docker.
Requirements
- Python 3.12+
- Poetry
- Make
curlandtar
Installation
git clone https://github.com/gerion-appsec/gerion-clicd gerion-climake installmake install installs Python dependencies with Poetry and downloads the external scanner binaries (Gitleaks, Opengrep, OSV-Scanner, KICS) to ~/.local/bin.
Add ~/.local/bin to your PATH if it isn’t already:
export PATH="$HOME/.local/bin:$PATH"Verify the installation
make checkInstall components separately
make install-python # Python dependencies onlymake install-gitleaksmake install-opengrepmake install-osv-scannermake install-kicsCredential configuration
Get your API Key at gerion.dev → Settings → API Keys.
export GERION_API_URL="https://api.gerion.dev"export GERION_API_KEY="your-api-key-here"Create a .env file at the root of your project:
GERION_API_URL=https://api.gerion.devGERION_API_KEY=your-api-key-hereAdd .env to your .gitignore.
First scan
gerion scan-all /path/to/your/projectFor individual scanners:
gerion secrets-scan .gerion sca-scan .gerion sast-scan .gerion iac-scan .Next steps
- Secrets Scan — Gitleaks
- SCA Scan — OSV-Scanner
- SAST Scan — Opengrep
- IaC Scan — KICS
- CI/CD Integration